• United States



Gartner – Information Security Architecture – Three Dimensions

Jun 04, 20073 mins
Business ContinuityCareersData and Information Security

Information Security Architecture – Architect for choice I fully concur with, but Tom Scholtz’s definition of an Information Security Architecture is really what I would define as an overall Information Security Program driven by the Information Security Strategic Plan.    He is including process, procedure, along with people and technology and calling it Information Security Architecture. His model also stretches in to gap analysis taken from standard risk assessment processes that are part of security in the SDLC including the use of Enclave Boundaries. IMHO, his spreadsheet of Questions – Conceptual Model – Answer – Implications is a standard deliverable from a risk assessment process that is risk-based and data centric. 

Questions such as how open should our system b e, is really a definition of risk based upon sensitivity of data and flow of the data (again defined as part of security in the SDLC and a risk assessment). Do we use SSL VPN, VPN, SSL, etc., is a determined during the assessment in following the Enclave Boundaries. Logical controls are also defined in this process. I’m not really seeing anything new here but a repackaging of of what is being done already. 

Do I use MAC or DAC? Again, I will always go back to security in the SDLC as the process for making such determinations. The trick is to have an ala carte menu of security controls; these are controls that are individually procedural; combined technical and procedural, and other combinations and permutations of your people, process, and technology, defense in-depth model defined in the Information Security Program. This is where Mr. Scholtz talks about choice. Give your system owner and IT staff an ala carte menu of control options that are risk-based and defined as such.

Tom also looks at a Trust Model for the XXX Infrastructure Pattern that goes into instance and network layers and is scenario based. Combine this with his conceptual design models and I again see direct parallels to security in the SDLC and the risk assessment process.  

Tom also references using CMMi to measure the maturity of the Information Security Architecture. This is a good model but I tend to gravitate towards ISO27001 + combining the 0 to 5 CMM maturity levels . The radar chart he uses has been pretty standard in organizations I have been working in for several years now as a tool to define Ideal, Desired, and Actual. The radar chart is available in Excel. I use it consistently to measure ISO27001 maturity and subsets of each ISO27001 domain as part of continuous information securiy process improvement (as directed in program and strategy).

If you really want to take a look at what Tom is referring to that is and has been established for several years (for the most part), take a look at (Information Assurance Technology Framework Forum) Release 3.1 from September 2002. If you have access, most of his discussion revolves around Chapters 1&2.

Again I ask, tell me something new …